The Turkish Government Masqueraded Site Distributing Android RAT

Latest RAT Variant Incorporates VNC and Keylogging Features

In the ever-expanding digital landscape, where our lives are increasingly intertwined with technology, threats to our online security have become more prevalent than ever before. Phishing attacks, in particular, have emerged as a nefarious method employed by cybercriminals to trick unsuspecting users into revealing sensitive information or unknowingly downloading malware onto their devices.

Cyble Research & Intelligence Labs (CRIL) recently identified a phishing site hxxps://scanyalx[.]online masquerading as a legitimate government platform from Turkey which not only aims to deceive users but also distributes a dangerous Android Remote Access Trojan (RAT).

The phishing site impersonates a genuine government site from Turkey named “e-Devlet kapısı (turkiye.gov.tr)”. This government site provides a platform to access government services such as social security documents, forensic clearance, traffic bills, tax debts, and many more.

The Threat Actor (TA) behind this campaign has precisely crafted a phishing site that bears a striking resemblance to a genuine government website, deceiving unsuspecting users into believing they are engaging with a legitimate organization. The phishing site employs a clever tactic, prompting users to verify returns for the Card Fee Payment System by providing their identity information.

Figure 1 – Phishing site impersonating Turkish Government website

After the victim enters their credentials, the phishing site proceeds to open the next webpage. This webpage notifies the victim about the due amount of “5420 TL” and prompts them to download an application in order to receive an immediate refund for the payment. The provided figure illustrates this situation.

Figure 2 – Phishing site downloads malicious APK file

When the victim clicks on the “Click to Download” button, the phishing site initiates the download of a malicious APK file named “edevletiadesistemi.apk”. Interestingly, we have noticed that each time victims enter their credentials and visit the download page, the malicious APK file is downloaded with a different name, such as “edevlet.apk” and “cimer.apk”.

Upon further examination of the downloaded malicious file, it has been determined that the malware is a RAT that operates based on commands received from a Command and Control (C&C) server. What makes this RAT particularly dangerous is its advanced functionality, including features such as VNC (Virtual Network Computing) and keylogging, enabling it to carry out a wide range of malicious activities covertly without raising suspicion.

In the technical analysis section, we delve into a detailed description of the RAT’s features, shedding light on how it operates and the potential risks it poses.

Technical Analysis

APK Metadata Information  

  • App Name: Aidat İadesi
  • Package Name: com.wraraooezwnvxnzd.tdjfjskljirvxhpbj
  • SHA256 Hash: 414ea005199ba221c0048a4a7c544ae3e0891c9fe1634bbfc0cd6f3938b5f029

  

The below figure shows the metadata information of the application. 

Figure 3 – Application metadata information

The absence of components other than the application’s subclass in the Manifest file suggests that the application is packed. As a result, when the application is run, it unpacks the DEX file found in the assets folder and proceeds to load the classes it contains.

The dropped DEX file in the zip folder “secondary-dexes/base.apk.classes2.zip”, named “classes2.dex,” contains all the classes that were missing.

Figure 4 – Dropped unpacked dex file

After installation, the RAT loads an HTML file called “pmuxmlpr.html” from the assets folder. This HTML file is then displayed within a WebView, showing a message that says “Başvuruyu Tamamla Ve Sorgulama Yap!” (which translates to “Complete the Application and Make an Inquiry!”).

Figure 5 – Malware displaying a message from the Assets file

Upon clicking on the message, the RAT prompts the user to enable the Accessibility service. Once enabled, the malware exploits this service to carry out its malicious activities, including preventing uninstallation, keylogging, and granting permissions without the user’s knowledge.

Figure 6 – Prompts for the Accessibility Service

Subsequently, the RAT establishes communication with a Telegram account link to fetch the C&C server address from the webpage. The malware includes three links in its code, consisting of two Telegram account links and one icq account link. It tries to connect all the available links until it receives an active C&C server, allowing it to fetch and establish a connection with the C&C server for further operations and malicious activities.

Figure 7 – URL list present in the code to fetch the C&C server

Figure 8 – Retrieve C&C from the icq account webpage

TAs commonly employ this tactic to conceal the C&C server and avoid detection. In this scenario, RAT retrieves an encrypted value from the Telegram account. Subsequently, it decrypts this value and establishes a connection with the actual C&C server hxxps://a2a2a2a[.]life/sk.

Figure 9 – Fetching C&C server

The RAT performs a range of malicious operations upon receiving commands from the C&C server. These activities include keylogging, gathering sensitive data, initiating VNC (Virtual Network Computing), and various others.

Below is a list of the commands utilized by the RAT to carry out its malicious activities.

CommandDescription
actvncStarts VNC service
allsmsSteals SMS
bloappReceives application name to stop execution
keylogCollects keylogs
fillfocusEnter a value in a text edit field
remjobExecute commands
runappLaunch application
trasmsSteal incoming SMS
permdrawoverPrompts the user to grant overlay permissions
permbatPrompts the user to grant battery optimization permission
copyclipCopy text to clipboard
unbloappRemoves package name from BLOCK_APP list
updateinfoSend updated stolen data
iniSend basic device information
logGet status value
regGet USER_SECRETE shared preference value
callCalls from the infected device
ghostGets Accessibility node information
lockscrLocks screen
permpermPrompts to grant permission based on value received from the server
instappsCollects installed application package names
permwritePrompts to grant permission to modify system settings
singlelockPerform global action
setbrightModify brightness
remprotUninstall application
mutesoundMute audio
getcontactsCollect contacts
destroyDelete application
sendsmsSend an SMS from an infected device

The RAT heavily depends on the Accessibility service to carry out its malicious activities. In a particular scenario, when the malware receives a command called “Ghost” from the C&C server. Upon receiving this command, the malware captures all the information about the active window on the infected device, including text and other user interface (UI) components, as depicted in the figure below.

Figure 10 – Collecting active window’s node information

Virtual Network Computing (VNC) has become a popular tool among Android malware developers, enhancing the RAT capabilities of their creations. The RAT cleverly incorporates VNC functionality into its arsenal. When the RAT receives the command “actVNC,” it springs into action, initiating VNC. This powerful feature empowers the RAT to execute a surplus of malicious activities, ranging from executing unauthorized transactions to silently exfiltrating sensitive data. The incorporation of VNC not only makes the RAT more sophisticated but also raises concerns about the potential impact it can have on unsuspecting victims.

Figure 11 – VNC functionality used by the malware

To implement the VNC feature, the malware utilizes a readily available open-source Android library called “rtmp-rtsp-stream-client-java”, which offers the capability to stream audio and video content and abuses Accessibility service to interact with UI elements to perform operations.

Figure 12 – Creating Audio and Video stream using open-source Android Library

Furthermore, the malware can manipulate the text edit field within the targeted application running on the infected device. This feature may enable the TA to engage in fraudulent activities by monitoring VNC streaming and exploiting the Accessibility Service to interact with the application.

Figure 13 – Inserting value in the edit text field of the targeted application

Likewise, RATs can modify the clipboard’s content according to commands received from the C&C server. The provided code snippet demonstrates how the malware assigns the received value from the C&C server to the clipboard. By manipulating the clipboard’s content, the malware can carry out unauthorized transactions without the user’s awareness.

Figure 14 – Modifying clipboard content

Upon receiving the command “sendsms,” the RAT proceeds to send an SMS from an infected device to the phone number specified by the C&C server. The SMS body content is also obtained from the C&C server, as depicted in the figure below. The malware may utilize this SMS functionality to distribute itself by sending messages to the contacts of victims or subscribing them to premium services without their knowledge or consent.

Figure 15 – Malware sends an SMS from an infected device

Also, the malware is capable of initiating phone calls from an infected device to the number provided by the C&C server without any user interaction when the command “call” is received.

Figure 16 – Calling the number received from the C&C server

Additionally, the RAT gathers Personally Identifiable Information (PII) from the infected device, including contacts, SMS messages, basic device details, and the package names of installed applications. Subsequently, the malware proceeds to transmit the stolen data to the C&C server.

Figure 17 – Malware collects contact data

Figure 18 – Stealing SMS data

Figure 19 – collects basic device information

Figure 20 – Collects installed applications package name list

The RAT carries out various actions, including launching or deleting applications, muting the device, adjusting brightness settings, requesting permissions, executing commands, and more. These capabilities demonstrate that the RAT is fully operational and capable of carrying out malicious activities.

Conclusion

TAs often employ tactics of impersonation, specifically targeting trusted entities such as government agencies or well-known institutions. By exploiting individuals’ unwavering trust in these organizations, TAs craft highly deceptive phishing websites and distribute malware to unsuspecting victims. In this particular scenario, the TA utilizes the Turkish Government website as a lure, enticing individuals into unwittingly downloading a dangerous RAT. This RAT possesses the capability to execute advanced features like VNC, enabling cybercriminals to carry out a range of malicious activities.

The stealthy nature of this RAT raises significant concerns. Its ability to operate covertly and receive commands from a remote server grants cybercriminals the freedom to engage in nefarious actions without fear of detection. The potential consequences for victims can be severe. It is essential for individuals to maintain a state of vigilance and continually educate themselves about the threats that exist within the online landscape. By remaining aware of the existence of phishing sites and their deceptive techniques, users can proactively safeguard themselves against falling prey to such scams.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

  • Download and install software only from official app stores like Google Play Store or the iOS App Store.
  • Use a reputed antivirus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
  • Never share your Card Details, CVV number, Card PIN, and Net Banking Credentials with an untrusted source.
  • Use strong passwords and enforce multi-factor authentication wherever possible.
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
  • Be wary of opening any links received via SMS or emails delivered to your phone.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Be careful while enabling any permissions.
  • Keep your devices, operating systems, and applications updated.

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
ExecutionT1623.001Command and Scripting Interpreter: Unix Shell
PersistenceT1624.001Event-Triggered Execution: Broadcast Receivers
Defense EvasionT1630.001Indicator Removal on Host: Uninstall Malicious Application
ImpactT1516Input Injection
CollectionT1417.001Input Capture: Keylogging
CollectionT1616Call Control
CollectionT1636.003Protected User Data: Contact List
CollectionT1636.004Protected User Data: SMS Messages
DiscoveryT1418Software Discovery
ExfiltrationT1412Exfiltration Over C2 Channel
ImpactT1641Data Manipulation
ImpactT1582SMS Control

Indicators of Compromise (IOCs)

IndicatorsIndicator TypeDescription
414ea005199ba221c0048a4a7c544ae3e0891c9fe1634bbfc0cd6f3938b5f029SHA256  edevletiadesistemi.apk
27fc0d3baddc7070f9e35a4c7f1d349435041949SHA1  edevletiadesistemi.apk
53970ff7dd8edaec7fc0cdd030c0b038MD5edevletiadesistemi.apk
68b56ef06b2c9403ade11bebef939fa4e754f44647cd2e313355568f87739942SHA256  Cimer.apk
d537bc931f4e967269502e0c764cf623a18e1735SHA1  Cimer.apk
e69248a7308436d8c6dde803c22821cbMD5Cimer.apk
68035c06c9ee1076a40d270029522dd21136e5c4bbec534768d2296af2212062SHA256  edevlet.apk
efabb77fa3b4f745b796043e23a853d905692151SHA1  edevlet.apk
0b4b6c0cbeb4ed114bed28960aaa6af0MD5edevlet.apk
hxxps://t[.]me/pempeppepepepURLWebpage to fetch C&C address
hxxps://icq[.]im/AoLH58pXY8ejJTQiWg8URLWebpage to fetch C&C address
hxxps://t[.]me/xpembeppep2p2URLWebpage to fetch C&C address
hxxps://a2a2a2a[.]life/skURLC&C server

Scroll to Top